HIPAA rules may affect email communications

October 15, 2013

By Craig Palmer, ADA News staff

Washington—Dentist email communications with patients may be affected by new HIPAA rules.

The Health Insurance Portability and Accountability Act omnibus final rule that took effect March 26 for compliance by Sept. 23, 2013, includes new requirements that may apply when a patient requests an electronic copy of the patient's information from a covered dental practice that maintains the record electronically.

Under the new rule, if the patient requests that the information be provided in an unencrypted email, the dental practice may be required to provide the information that way if the practice has advised the patient of the risk that the email might be accessed by an unauthorized third party and the patient still prefers to receive the information in an unencrypted email.

HIPAA requires that covered dental practices implement reasonable safeguards, including reasonable procedures, to ensure that the practice correctly enters the email address. The practice is not responsible for the email while in transit nor once it is delivered to the patient.

A dental practice would be prudent to consult qualified legal counsel to determine whether it is covered by HIPAA and how to respond to patient requests in compliance with applicable state and federal law.

The updated ADA Practical Guide to HIPAA Compliance Privacy and Security Kit provides more information on the new rule and a more detailed explanation of the procedures for responding to patient requests for copies of electronic records, including email responses. To purchase the ADA Complete HIPAA Compliance Kit (J598) visit ADAcatalog.org or call the ADA member service center at 1-800-947-4746.

In addition to the new HIPAA requirements, recent media reports suggest at least one vendor reassigns email addresses the vendor deems to be “inactive,” which might pose a risk for a dental practice that emails patient information to an address that has been reassigned to an unauthorized third party.